CVE-2022-48941: ice: fix concurrent reset and removal of VFs
In the Linux kernel, the following vulnerability has been resolved:
ice: fix concurrent reset and removal of VFs
Commit c503e63200c6 ("ice: Stop processing VF messages during teardown")
introduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which is
intended to prevent some issues with concurrently handling messages from
VFs while tearing down the VFs.
This change was motivated by crashes caused while tearing down and
bringing up VFs in rapid succession.
It turns out that the fix actually introduces issues with the VF driver
caused because the PF no longer responds to any messages sent by the VF
during its .remove routine. This results in the VF potentially removing
its DMA memory before the PF has shut down the device queues.
Additionally, the fix doesn't actually resolve concurrency issues within
the ice driver. It is possible for a VF to initiate a reset just prior
to the ice driver removing VFs. This can result in the remove task
concurrently operating while the VF is being reset. This results in
similar memory corruption and panics purportedly fixed by that commit.
Fix this concurrency at its root by protecting both the reset and
removal flows using the existing VF cfg_lock. This ensures that we
cannot remove the VF while any outstanding critical tasks such as a
virtchnl message or a reset are occurring.
This locking change also fixes the root cause originally fixed by commit
c503e63200c6 ("ice: Stop processing VF messages during teardown"), so we
can simply revert it.
Note that I kept these two changes together because simply reverting the
original commit alone would leave the driver vulnerable to worse race
conditions.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue can crash systems that use the ice network driver with virtual functions. The failure comes from a race during VF reset and removal, where cleanup can overlap with active VF work and cause memory corruption or panics. The sources do not provide CVSS scoring or evidence of active exploitation.
Executive priority
Treat this as targeted operational risk for hosts using ice virtual functions, especially virtualization or network-heavy systems. Prioritize patch verification on those systems, but avoid broad emergency response unless your environment depends on this driver path.
Technical view
The ice driver previously stopped responding to VF messages during teardown, but that allowed VF DMA memory removal before PF queue shutdown. A VF reset could also race with VF removal. The fix protects reset and removal flows with the existing VF cfg_lock and reverts the earlier teardown flag behavior.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions with the ice driver and VF functionality in use. Systems not using this driver or virtual functions are less likely to be exposed based on the provided description.
Exploitation context
CISA KEV is false in the bundle, and no cited source reports active exploitation. The described trigger is a concurrency condition around VF reset and removal, with impact stated as memory corruption and kernel panics.
Researcher notes
The key security-relevant behavior is memory corruption from concurrent VF reset and removal. The fix serializes critical VF operations using cfg_lock and removes the incomplete ICE_VF_DEINIT_IN_PROGRESS approach. Evidence is incomplete for exploitability beyond crash or corruption.
Mitigation direction
Upgrade to a Linux kernel containing the referenced stable fixes.
Check distribution or vendor kernel advisories for backported fixes.
Prioritize hosts using ice virtual functions in production networking.
Avoid relying on the earlier teardown flag behavior as a mitigation.
Validation and detection
Inventory Linux kernels against the affected version information in the CVE bundle.
Identify hosts loading the ice driver with configured virtual functions.
Confirm patched kernels include one of the referenced stable commits or equivalent backport.
Review kernel logs for panics during VF teardown, reset, or rapid reconfiguration.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48941 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.